Currently, signing key is hardcoded as text:

Release Signing page states:

You can then sign binaries with the private key using stsigtool sign, verify them with the public key using stsigtool verify, and have Syncthing accept these signatures by replacing the compiled in public key. This may be useful in an enterprise setting, for example.

So, "in an enterprise setting" you'd either need to patch/replace signingkey.go on the fly or maintain separate copy of the repo and rebase signature changes on top of every release.

Solution

Since introduction of embed package in Go 1.16 embedding keyfile becomes as simple as this:

import _ "embed"

//go:embed pubkey.pem
var SigningKey []byte

$ cat pubkey.pem
-----BEGIN EC PUBLIC KEY----- 
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA1iRk+p+DsmolixxVKcpEVlMDPOeQ 
1dWthURMqsjxoJuDAe5I98P/A0kXSdBI7avm5hXhX2opJ5TAyBZLHPpDTRoBg4WN 
7jUpeAjtPoVVxvOh37qDeDVcjCgJbbDTPKbjxq/Ae3SHlQMRcoes7lVY1+YJ8dPk 
2oPfjA6jtmo9aVbf/uo= 
-----END EC PUBLIC KEY-----

This makes it possible to simply replace pubkey.pem during build without fiddling with go source files.